Re: Stopping Frequently Forged Domains

From: Robert Dalton (no email)
Date: Mon Jun 03 2002 - 02:30:38 EDT

• Next message: Fabio: "FW: disable_dns_lookups"
• Previous message: Stehlík Tomáš: "sasl and postfix"
• In reply to: Alexander Chiu (Chewy): "Re: Stopping Frequently Forged Domains"
• Next in thread: Robert Dalton: "Re: Stopping Frequently Forged Domains"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Alexander Chiu (Chewy) wrote:
> Stavros,
>
> May I ask what sort of things I need to added in the
> :/etc/postfix/strict_client_map files?
>
> Is this the example for strict_sender_msg
> /etc/postfix/strict_sender_msg:
>
>>> /@([^@]*)$/ 554 use mailserver that handles $1 domain
>>
>
> Do you have any sample configuration?
>

Here is the example again with the latest improvements by
Michael Tokarev, and Wietse Venema.

/etc/postfix/main.cf:
   smtpd_sender_restrictions =
      check_sender_access hash:/etc/postfix/strict_sender_map

   smtpd_restriction_classes = strict_client_domain

   strict_client_domain =
      reject_unknown_client,
      check_client_access hash:/etc/postfix/strict_client_map,
      check_sender_access regexp:/etc/postfix/strict_sender_msg

   unknown_client_reject_code = 554

/etc/postfix/strict_sender_map:
     yahoo.com strict_client_domain
     hotmail.com strict_client_domain

/etc/postfix/strict_client_map:
     yahoo.com OK
     hotmail.com OK
     friendly.com OK

/etc/postfix/strict_sender_msg:
    /@([^@]*)$/ 554 Use mailserver that handles $1 domain

If you have no need for a custom reject message then leave out the file
/etc/postfix/strict_sender_msg, and replace
"check_sender_access regexp:/etc/postfix/strict_sender_msg" with "reject".

friendly.com is a mail server that legitimatly forwards email for hotmail
or yahoo.

Using the above method, Ive stopped close to 300 spam messages in one day on
a mail server that handles ~1000 users.

This method has one drawback. If you start populating the strict_sender_map,
and strict_client_map with too many xyz domains, the method starts to loose it's
effectiveness. This is because spammers at xyz domains can now forge email @yahoo,
and @hotmail domains. Recommended usage: populate the files with the 10 most
frequently forged domains. Most of the free email providers use web based email,
and chances of rejecting forwarded email from these domains are less.

I belive the patch found @monkeys.com (see previous post) does 1 to 1 mapping
which wouldnt suffer this one drawback. Also they have a large list of 4400+
frequently forged domains. They claim using their patch only a small amount
of legit email (1 instance) was tossed on a production mail server.

Regards,

Robert Dalton
AccessWest.com

-
To unsubscribe, send mail to with content
(not subject): unsubscribe postfix-users

• Next message: Fabio: "FW: disable_dns_lookups"
• Previous message: Stehlík Tomáš: "sasl and postfix"
• In reply to: Alexander Chiu (Chewy): "Re: Stopping Frequently Forged Domains"
• Next in thread: Robert Dalton: "Re: Stopping Frequently Forged Domains"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]